Hack attempts

Hello,
I have a couple Freepbx VM’s out there that seem to be suffering from this.

Each instance has the incoming route pointed at a ring group that rings all phones. At random times, usually after business hours, the phones will all start ringing. Caller ID will show a number like 300 or 3000, or sometimes nothing at all. The user answers the phones, but no one is there, just dead air. I check the SIP trunk provider log, but no calls are shown. I check the Freepbx CDR log, and the calls are logged. Sometimes like I mentioned, the CallerID field in the CDR report shows 300 or 3000 or 100 or something similar, but today the numbers looked like <“) or 1–> or even <‘)) or ((”))=((‘>. If I copy and pasted one into the blacklist, a few seconds later whatever is generating the calls will just try some new CallerID string. Calls seem to come in every 30 seconds and will persist for hours unless I intervene.

Question is, how do I prevent calls like this occurring in the first place? I assume they are hack attempts of some sort.

Is your pbx configured to allow anonymous calls and/or sip guests?

1 Like

Yes. We use CallCentric for sip trunks, and incoming calls won’t work unless those settings are turned off.

Restrict your firewall to only allow sip signalling traffic from call centric IP addresses.

According to CallCentric documentation they advise setting “Allow Anonymous” and “Allow SIP Guest” to “No”.

https://www.callcentric.com/support/device/freepbx/13

Hello,

Really need someones help!

I am having the same issue. So an extension number that i have not created will phone one of my extension. For example ext 1008 to ext 8008. Calls seem to come in every 30 seconds. You answer the phones and it’s dead air. Looking through SIP logs can not find where its originating? I am not allowing allow anonymous calls and/or sip guests.

Question is, how do i stop this? Is this a hack attempts of some sort?

Please help!

Many thanks
Andrew

I doubt it, since he is talking about calls hitting his ring groups. Unless that is exactly what you are seeing, you should have started a different thread. However, now that you’ve high-jacked this one, the suggestions for him might help you.

First - determine if the calls are actually coming in through your PBX. You can do this with the /var/log/asterisk/full log. If the calls are hitting your ring group, you will see the source address of the caller in the log. The source IP address for the call should be in the connect string.

Second - check your firewall logs, looking for connections into your local network on port 5060.

Third - check to see if your system is using call files to generate the calls. If that’s the case, someone or something has gotten a connection to your PBX through a website or email link that you need to address.

The phones don’t just ring by themselves. The calls have to be originating somewhere. Until you get a handle on where, we’re not really going to be of much help.

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.